Question 24
Domain 2: Cluster HardeningWhich statement about Kubernetes service-account tokens and generic application secrets is most accurate?
Correct answer: B
Explanation
Kubernetes service-account tokens are tied to a pod or workload identity and are used to authenticate to the Kubernetes API. Generic application secrets are different because they usually store credentials for external systems, such as database passwords or API keys, so the statement that they serve "different external authentication purposes" matches their typical use.
Why each option is right or wrong
A. They are identical and should be handled with the same lifecycle assumptions
Service-account tokens are workload identities; app secrets are usually external credentials with different rotation and usage patterns.
B. Service-account tokens are workload identities for API access, while application secrets often serve different external authentication purposes
Kubernetes service-account tokens are issued to a ServiceAccount and, by default, are mounted into Pods so the workload can authenticate to the API server under RBAC; since v1.22 they are typically short-lived, bound tokens via the TokenRequest API and BoundServiceAccountTokenVolume, not generic app credentials. By contrast, Secret objects of type Opaque are commonly used to hold external-system credentials such as database passwords or API keys, so the distinction in purpose is the one the exam is testing (see Kubernetes docs on ServiceAccounts and Secrets; CKS Task 2.3 and 4.2).
C. Application secrets automatically rotate whenever Pods restart
Pod restarts do not inherently rotate arbitrary application secrets; rotation depends on how the secret is managed.
D. Service-account tokens can only be stored in ConfigMaps
Service-account tokens are not limited to ConfigMaps; Kubernetes commonly exposes them through other mechanisms.